Here's a few things I would recommend to tighten it a bit:
Quote:
Originally Posted by jimbo7
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
|
Make these more specific, with interface names and packet states. Like:
Code:
iptables -A FORWARD -p tcp -i eth0 -o wlan0 --dport 80 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -o wlan0 --dport 443 \
-m state --state NEW -j ACCEPT
Quote:
Originally Posted by jimbo7
# Don't forward from the outside to the inside [OPTIONAL]
iptables -A FORWARD -i wlan0 -o eth0 -j REJECT
|
Eliminate this rule.
You are much better-off letting the packets hit the DROP policy.
Quote:
Originally Posted by jimbo7
echo 1 > /proc/sys/net/ipv4/ip_forward
|
Add a line like this to the start of the script, but have it echo a zero instead of a one. This way, you know that any time the script is run, forwarding will be disabled until everything is set-up.
Quote:
Originally Posted by jimbo7
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
|
Sending OUTPUT packets to DROP without sending them to LOG first is a habit that should be avoided as much as possible. Generally speaking, it's important to know exactly when unusual packets are being generated by your box. It can sometimes mean the difference between (for example) knowing your Apache's been owned, and being clueless about it.
Code:
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j LOG \
--log-prefix "OUTPUT DROP: "
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j LOG \
--log-prefix "OUTPUT DROP: "
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP